PCI DSS version 3.2 due for release in March/April 2016

The PCI Security Standards Council has announced that it will publish a new version of the PCI Data Security Standard (PCI DSS) in early 2016.

PCI DSS 3.2 is due for release as early as March/April 2016.

The Council also reminded companies required to comply with the PCI DSS that the deadline to migrate from SSL and early TLS has now officially moved from 2016 to 2018.

The new release has been published to include the revised migration dates and to address changes in the threat and payment acceptance landscape.

What is changing?

Troy Leach, Council CTO, explains: “For 3.2 we are evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed; and including the updated migration dates for SSL/early TLS that were published in December 2015.”

PCI DSS is now a mature standard

The Council says that there will be no release issued in November (as used to be standard practice every three years):  “the industry recognizes PCI DSS as a mature standard now, which doesn’t require as significant updates as we have seen in the past. Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard.”

“Version 3.2 will become effective as soon as it’s published, and version 3.1 will be retired three months later to allow organizations to complete PCI DSS v3.1 assessments already under way”, Leach said.

“The revision of PCI DSS is as good a time as any to re-evaluate how to minimize effort while improving security posture”, said Leach.

How should companies start preparing for the new standard?

Leach said that it is a “healthy practice for companies to”:

  • regularly evaluate how they accept payments to establish how they can reduce the risk to its customers and the organisation by changing business practices for cardholder data exposure;
  • evaluate newer payment technology like tokenization and encryption; and
  • assess whether their third-party service providers understand the importance of the upcoming changes as well.

Book an expert gap analysis with a PCI DSS QSA today to assess your compliance status against the PCI DSS.

PCI consultancy

Share now…

Share on Twitter Share on Facebook Share on LinkedIn